Menu
I want to apply web service security according to OWASP Web Service Security. Thereby I stumbled over the two points:
So far there is just a RESTful service which can be directly accessed by a client. For each request the client needs to authenticate by the server. All communication is secured via TLS. I'm now unsure about Message Integrity since I don't understand the sentence:
When using public key cryptography, encryption does guarantee confidentiality but it does not guarantee integrity since the receiver's public key is public. For the same reason, encryption does not ensure the identity of the sender.
Is it also required that the data was signed by the client in order that message integrity is ensured? TLS is only point-to-point, what is about proxies?
Concerning Message Confidentiality, I understood it as follows.
Did I understand that right?
806
TLS provides data integrity by calculating a message digest. For more information, refer to Data integrity of messages. Use of TLS does ensure data integrity, provided that the CipherSpec in your channel definition uses a hash algorithm as described in the table in Enabling CipherSpecs.
The rest can use encrypted transport with SSL or TLS. When data is encrypted in transit, it can only be compromised if the session key can be compromised.
TLS provides three primary services that help ensure the safety and security of data exchanged with it: Authentication. Authentication lets each party to the communication verify that the other party is who they claim to be. Encryption.
Ensure message confidentiality by converting the contents to ciphertext with XML encryption. This encryption ensures that data remains private and confidential, and that it cannot be viewed by unauthorized users or eavesdroppers. Ensure message integrity and authentication by signing a message with a digital signature.
From the TLS specification:
The primary goal of the TLS Protocol is to provide privacy and data integrity between two communicating applications. [...]
The connection is private. Symmetric cryptography is used for data encryption (e.g., DES [DES], RC4 [SCH] etc.). [...]
The connection is reliable. Message transport includes a message integrity check using a keyed MAC. Secure hash functions (e.g., SHA, MD5, etc.) are used for MAC computations. The Record Protocol can operate without a MAC, but is generally only used in this mode while another protocol is using the Record Protocol as a transport for negotiating security parameters.
So, yes, TLS will provide you with integrity and confidentiality of the message during its transport, provided that it was used correctly.
In particular, the client needs to verify the certificate to ensure it is communicating with the right server (verifying that the certificate is genuine and issued by a trusted party, and issued to the host name it intended to contact).
- Use TLS to ensure message confidentiality over the wire.
- Use a symmetric encryption to encrypt the transmitted data.
TLS will provide confidentiality via encryption. (You need to use an appropriate cipher suite, in particular not a anonymous cipher suite or a cipher suite will null encryption, but that's always the case by default.)
- The encrypted data get stored in data base.
If you want to encrypt the data in your database, that's a different problem. TLS only provides you with integrity and confidentiality during transport. Once it's handled by your web application, it's deciphered.
TLS is only point-to-point, what is about proxies?
HTTP proxies only relay the TLS traffic as-is, without looking into it or altering it. (Some proxy servers can intercept the traffic, but the certificate verification would fail, unless you forget to check the certificate.)
159
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
